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(54) Method and apparatus tor free previews of communication networlc services 



(57) Limited duration previews of program offerings 
available, for purchase via a communication network are 
provided in a cryptographically secure manner at virtu- , 
ally any time during the service. The invention has pkr-' 
ticular applicability to the provision of video services on 
a pay-per-view basis. Such a video service is provided 
during a program epoch (PE). A fixed period (72-74) is 
defined during the program epoch (72-78) when portions 
of the video service are available for viewing on a preview 



tresis. A consumer is allowed to. preview, without pur- 
chase, portions of the video service at any time during 
the fixed period for up to a.tnaximum pre/iew duration 
■ (82) that is shorter than thefixed period (72-74): The con- 
sumer can then purchase the video service for viewing 
during the program epoch (72-78) after previewing por- 
tions thereof. A plurality of records (dO. 92, 94, 96, 98) is 
maintained to service different pfeviewable programs 
concurrently. 
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Description 

BACKGROUND OF THE INVENTION 

The present invention relates to communications 5 
networks such as cable television, satellite television and 
computer networks over which services are availat3l6 for 
a lee. and niore particularly to a method and apparatus 
for providing free previews of individual program offer- 
ings (e.g., a movie) prior to purchasing that offering. io 

Cat)le and satellite television networks v^ere video 
services are availat>le for a fee are well known. Also well 
known are computer network services' such as Com- 
puServe, Prodigy, America Online, Dialog Information 
Service, and others where databases, banking and is 
shopping services can be accessed and e-mail and the 
like can be communicated, all for a fee. In the past, some 
communication networks have provided services on a 
free trial basis. For example, pay per view television mov- 
ies, in which a viewer can order a movie for viewing upon 20 
payment of a fee, have sometimes enabled viewers to 
watch the first five minutes or so of the movie on a pre- ' 
view basis before purchase is required. Such previews 
were limited to a predefined time period at the beginning - 
of the movie. Free previews were not available at any 25 
other time during the broadcast of the movie. 

The provision of a limited free preview at any time 
during the broadcast of a service (such as a movie) 
would be desirable from a consumer's standpoint: For 
video services, a viewer would not be constrained to hav- 30 
Ing a preview only at the beginning of the program, which 
may not be a convenient time for the viewer. However, 
the provision of a limited duration free preview at any time 
during the availability of a service is fraught with danger 
from the standpoint of the service provider. Iri particular, 35 
opening up a service to free previews at any time nnay 
make it possible for an unscrupulous viewer or "pirate" 
to defeat the security of the signal and obtain the entire 
service without charge. 

It would be advantageous to provide a method and 40 
apparatus for allciwing a limited duration free preview at 
virtually any time during the provision of a service. It 
would be further advantageous to provide such a method 
and apparatus that are not easily taken advantage of by 
unscrupulous customers or pirates. Such a method and 45 
apparatus should mafntairi signal security while provid- - 
ing the flexbility of an "anytime free preview*" (AFP). It 
would also be advantageous to provide such a methdd 
and apparatus that eiiable a viewer tb 'switch back and ' ' 
forth between one or inbre AFPs (each associated with so 
a drff ererft Service) arid conventional progr'amrriihg; Each ' 
AFP wdiJld be limrted to its own particQi&^rnakimum AFP ^ ' 
duration. SucH a system most rerhaih ^lire at all times ' 
and prevent a vimer ^m 'dbtainirig free previews for '* 
more than the maxiniLim 'duratibn assigrted to the partic^ ' *55 
ular service/The present iriventfon provides a rriietHbd / * 
and apparatus "feiWng -the afbremeritiorial and o^ - ; 
advantages. : : 



SUMIWARY OF THE INVENTION 

A method in accordance with the present invention 
provides video services to consumers via an iritormatioh 
network. A video service is provided on a pay-per-view 
t>asis during a program epoch. A fixed period is defined 
during the program epoch when portions of the video 
service are available for viewing on a preview basis. A 
consumer is allowed to preview, without purchase, por- 
tions of the video service at any time during the fixed 
period for up to a maximum preview duration that is 
shorter than the fixed period. The nmimum preview 
duration is preferat)ly enforced in a cryptographically 
secure manner. In particular, a record can be mairrtained 
in a cryptographically secure manner to indicate the 
amount of unused preview time remaining for the con- 
sumer to view the video service during the fixed period. 
The fixed period during which portions of the S^deo serv- 
ice are available for previewing, as well as data identify- 
ing whethei- a preview is avaiiablefor a particular servic^, 
are also preferably maintained in a cryptographically 
secure manner. 

In a preferred embodiment, the method of the inven- 
tion enables a consumer to purchase the video service 
for viewing during the program epoch after previewing 
portions of the service. Also in the preferred embodi- 
ment, the program epoch is divided into a plurality of 
working key epochs (WKE's). A count of the WKE's is 
cryptographically authenticated! The authenticated 
count Is used to implement (l.e., define and keep track 
oQ said maxiriium preview duration. 

The rhethod can further conprise the steps of main- 
taining a record of services which the consumer has pre- 
viewed during prior program jspoichs. The consumer is 
then prohibited from previewing a service during a^. cur- 
rent program ef>och if the (kjnsdmer has prWiew^^ any 
part of that service dunWg a prior program epoch. This 
prevents a consumer from recording successive frei^ 
previews in order to accumulate a full movie or other pro- 
granri for viewinlg. The record of services whicti the con- 
sumer has previewed during prior program ^ochs can 
be maintained in a cryptographically secure manrier. 

in an illustrated embodiment up to N active records 
of previewable services can be maintained at a time. 
Each record conprises either a purchase record i^epre- 
senting a previewable service that has beeri' purchased 
by the consurTiei- or a preview record representing a serv- 
ice that the consumer has sel acted fof preview: the expi- 
ration of ah active ' pt'^ewable service record is 
prevented until the program epoch forthe service>epre- 
sentkl by that record is over The exj^iratioii time is con- 
trolled by ah expiration tinnier. Aiternatively. frie «<pi ration 
can be prevented by'^abllshing a fixed rninimiim time 
period (erg..' seifera^ hours) fer each redbrd. "rtfe fixed 
^jfninirnurh record duration is longer than the Idngest'seiv- 
ice that ha^ afree pfevlefw available. ' 

The method 'of the' present Inventiony carf also 
include the stfif^of pfeventing the erasure^cf ot/^^^ 
recdrd ' untfl 'the' program epoch for -'tiSe'^seiVice r4)re-^ 
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sented thereby Is over, in the illustrated embodiment, a 
preview record is converted to a purchase record upon 
. purchase by the consumer of the service represented by 
the preview record. At the time of conversion, the pur- 
chase record is rendered irrevocable. In such an embod- 5 
iment, the erasure of any preview record is prevented 
until the program epoch for the service represented 
thereby is over, except that a preview record can be 
erased by conversion to an irrevocable purchase record. 

Whenever all N records of previewable services are 10 
active, additional previews are denied to the consumer. 
However, a consumer can still purchase a service, in 
which event one of the preview records will be ovenAn-it- 
ten with a purchase record. Preferably, the next to expire 
preview record will be the one that is overwritten. When is 
a preview record is open, the consumer can be informed 
of how much unused preview time remains for the corre- 
sponding video service. 

Apparatus in accordance with the present invention 
provides previews of services available for purchase via 20 
a communication network. First means process data 
received from the communication network. The data (i) . 
identifies a service available for purchase, (ii) identifies 
a period of time (epoch) over v^rtiich the service is pro- 
vided, (iii) indicates whether a preview is available for the 2S 
service, and (iv) provides information necessary to gen- 
erate keys for enabling an authorized consumer to 
receive the service or a preview thereof. Second means. 
responsive to the first means when a previ ew is availab! e 
for the service, are provided for keeping track of a fixed 30 
period during the epoch when previewing is permitted. . 
A user interface cooperateis with the first and second 
means for enabling a consurner to preview portions of - : 
the service. at any time during the fixed period for up to^ 
a rnaximum preview duration that is s^ 3S 
period! Th^ user interfeca^so enables a consumer to 
purchase the Sfervice. Means are responsive to the first 
means.for decrypting the service during a preview and 
after a purchase thereof . , , . 

The appiaratus in accordance with the invention can 40 
further comprise means lor enfbrctng the maximum pre? 
view duration in a cryptographically secure manner. The. , 
apparatus can maintain a record in a cryptographically 
secure manner to indicate the amount of unus^ed pr.^iew ^ . . 
time rerriaining tor the consurner to view the.servk;e dur- 4S 
ing the fixed period. . - ^V- 

Means can be provided for maintaining up . to K; ^. 
active, records. of, prevjeyvable.servic Each . 

record comprises either a purchase record representing 
a pre/iewabie service that has been purchased by .the ^^50 
consumer . or apreview,record representing a service that . . ^ 
the consumer has selected for preview. Means are pro-.; , 
vided for preverrdpg Ihe expiration.of an active preview-.. . .., 
able, service record , until the pirogram .^ipch for, the 
service represented by ^at record is pver.^Means ,can ,.55 
further be prdvided for preventing the erasure of any prW ..^^ 
view record until the program epoch forthe service rep- 
resent.^ t^^ceby. is oyer, in an illustrat€!d.4emix)dime!^.;,,..: 
meanis.arjeVcyiq^ a pre/iew record to'a..^.. 



purchase record upon purchase by the consumer of the 
service represented by the preview record. The pur- 
chase record provided by the converting means is ren- 
dered in-evocable. Except for possible conversion to an 
inrevocable purchase record, the erasure off any preview 
record is prevented until the program epoch for the serv- 
ice represented thereby is over. 

The apparatus of the invention can further comprise 
means for denying any previews or previewable services 
to the consumer whenever all N previewable service 
records are active. Means can also t>e provided for 
informing the consumer of how much unused preview 
time remains for each service. 

In an illustrated emtxxiimerTt, the epoch over which 
the service is provided is divided into a plurality of work- 
ing key epochs. A cryptographically authenticated count 
of the working key epochs is used to implement said 
maximum preview duration. Means are provided for fur- . 
ther cryptographically authenticating at least the portion 
of the data that identifies whether a preview is availatDle 
for sakd service, and the fixed period during which pre- 
viewing is permitted. • • 

BRIEF DESCRIPTION OF THE DRAWINGS '"J' 

Figure 1 is a block diagram of apparatus in accord- 
ance with the preserrt invention; 
Figure 2 is a block diagram illustrating the decryptiop^^ 
hierarchy used in accordance with the presem 
invention; . , ... '=-2^ 

Rgure 3 is a time lirie^ tliustrating.different program . 
^chs that occur over time; . ,^ T'^ 

Figure 4 is a diagrammatic illustration of one pro^. 
gram epoch, illustrating various boundaries cori^ 
taibed therein., and a sample of^the working key^ 
epochs (WKE.*s) that , occur during the program 
epoch; 

Figure .5 is a diagrammatic illustration of various pre- 
view/program records tiiat are maintained in acoord- 
ance .with the invention; ^ . 

Ungure 6 is the first part of. a flowchart illustrating the 
authori:zation of anytime free previews in accord- 
ance, with the present invention; and 
Rgure 7 is a continuation of^the f Ipwcfiart of Figure 6. 

DETAILED DESCRIPTION OF THE INVEN-nON 

' Rgure 1 illustrates, in. blocj^ diajgram forn^, : the / 
deccyjation^portion of a digital satellite, Of cable television . 
.recdyer qr.tfie like. .An encrypted service. :(e.g.. a pre- 
mium, televisiori service). js. input, to terminal 10. By the>. 
time;th§ bitstream comprising tine service is input to ter- 
minal 10. it has already been receivedjand demodulated - 
frorr^Jhe comrrujriication.phannel pyer.wh ft is trans- _ 
..mittal,/using cbnventipnal .techriiques.. The. encrypted 
service is^decrypted by. a decryption ^^ipcessor- 12:in 
order to. provide a dear signal,?! out{^ 1 6 of tiie diecryp- > 
tion processor. " - . 
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The decryption processor can utilize a conventional 
decryption scheme^ such as that disdosed in Gilhousen, . 
et al. U.S. patent 4,613,901 entitled "Signal EncryjDtion 
and Distribution System for Controlling Scrambling and . 
Selective Remote Descrambling of Television Signals;"' 5 
or Bennett et al. U.S. patent 4.864.615 entitled "Repro- 
duction of Secure Keys By Using Distributed Key Gen- 
eration Data," both incorporated herein by reference. 
The decryption processor requires working keys (WK) in 
order to decrypt the signals Input thereto via terminal 1 0. 10 
The working keys are generated by a secure processor 
20 in response to control signals received via input/out- 
put (I/O) terminal 30. Firmware for the secure processor 
is stored in read only mernory (ROM) 24. The secure 
processor is also provided with random access memory 75 
(RAM) 22 in a conventional manner. A secure portion of 
RAM 22 holds unit specific keys and/or seeds for use in 
decryption of a monthly key. as discussed in greater . 
detail in connection with Figure 2. 

A user interface 26 enables a viewer to select serv- 20 
ices for viewing on a television (TV) 28. If a user is author- 
ized to receive the selected service by subscription or 
individual purchase (e.g., pay per view), secure proces- > 
sor 20 will actuate switch 1 8 to couple the decrypted out- 
put 16 from decryption processor 12 to the TV 28 via 2S 
user interface 26..0thenMse. the user interface and TV - 
will only receive the encrypted signal via fine 14 and 
switch 18. 

A typical key hierarchy is illustrated in Figure 2. An 
encrypted'program pre-key is input via terminal 40 to a 30 
decryption function Mwhich also receives a monthly key 
via terminal 42. The program pre-key is unique to each ^ 
encrypted program offering (e;g., television program) ^ . 
that is available for decryption. The monthly key is ' 
changed on a periodic basis, e.g., once each month. The i 35 
decryption function 44 decrypts the encrypted program 
pre-key to provide a program pre-key that is used as one • 
input to a, one-way function 48. The other input to one 
way function 48 comprises various program attributes, 
Including access requirements, for the corresponding '^4o 
program. The access requirements must t>e met In order 
to obtain authorization to view the program. The program - 
attributes are input via terminal 46, and the one way func- 
tion processes ^ the program pre-key and program 
attributes to provide a program key.^ The program key out- '45 
put from one. way-function 48'is used as one' input to 
another one way function 52 that dlso receives; via ter- ' 
minal 50, an initialization vector (IV): representative of 
time. The processing of the initialization vector and pro- • - 
gram key by one. way function 52 generates the' workings so 
keys required by-decryption prbcess6M2 (Figure 1) to 
decrypt the service selected by an authorized user. Afur- » r . 
ther description of ttie generation of the' various keys. ; ' 
including working keys (provided in a "keystream"), can 
be found in the aforementioned Bennett, et al. patent. • ' ss 

Rgure.3 is acdiagrammatic illustration of the initia^-- 
zation vector,thatis inptftlo terminal 50 of one way func- 
tion 52.. v:Trte initiali2ation^>vecton^'6a 'Commences' -a^ 
time =s hand runsruntil time «Ji which can be^foreK&nv'^ - 



pie. several weeks, at which time the count resets. During 
the time represented by the vector 60, a plurality of pro- 
gram epoctis (PEi through PEn) occur. Each program 
epoch can be of a different length, and is associated with 
one program offering. 

Figure 4 is a diagrammatic illistration of one pro- 
gram epoch, generally designated 70. The epoch starts 
at time 72 and ends at time 78. Prior to the end of the 
epoch, there is an AFP boundary 74 and a program 
boundary 76. The time between the start of the epoch 
72 and the AFP boundary 74 Is a fixed period during the 
Program epoch when portions of the program are avail- 
able for viewing on a preview basis. During this fixed 
period, the program can be previewed for a maximum 
AFP duration 82. As indicated by arrows 84 and 86 in 
Figure 4, the AFP can be viewed at any time from the 
start of the epoch to the AFP boundary, but only for up 
to the maximum AFP duration T provided. In order to 
permit a viewer to view some part of the allowed free 
preview time, tune away, and then return to watch* the 
remaining part, the maximum AFP duration 82 is main- 
tained as a count of working keys which is decremented 
as the allowable AFP time is used up. 

During a program epoch, working keys are gener- 
ated for authorized subscribers that have purchased or, 
during a preview period, requested a preview of the pro- 
gram. The program epoch is divided into a plurality of 
working key epochs (WKE's) 80. as illustrated in Figure 
4. For example, the working key epochs may occur at a 
rate of eight WKE's per second, or at any other interval 
that is desirable for a given implementation of the sys- 
tem. The WKE's can provide a convenient means for 
maintaining the integrity of the AFP boundary 74. In a 
preferred embodimenti the AFP boundary is the value of 
the WKE repriBseriting the bdijhdary beyond which an 
anytime free preview is not alldwedrThis pararfieter is 
authenticated by including it in the prograrn key genera- 
tors. The computation and maintenance of the AFP 
boundary is discussed in greater detail below. In connec- 
tion with Figures 6 and 7. 

The program boundary' 76 is the point at which the 
program provided during the epoch is expected to end. 
The end of the epoch 78 may extend beyond the program' 
boundary 76 to accommodate the possibility of a pro- ^ 
gram running over its original expected length. For exam- 
ple, if a program is ^interrupted by a news bulletin, the ' 
program ending tiriie may be' extended. Simiiariy; since 
it is impossible to accurately predict the end of a sports 
event; ft may be nec&sary to extend thd prdgrani bound- 
ary within -the program-epdch to acconinibdate a'game ' 
that runs into^dvertime/ ' ' - ^ ^ ' : . . - .: 

In accordance with the present inVehtioh, no free " 
previews'are permitted after the AFP bouriclary74. Thus," 
during the portion of a program 'that runs betwbbn the 
AFP bburidary 74^and the epoch end 78! free-'previiews 
can not be obtained. The reason for providing the AFP ' 
t)Oundary is to defend against certairrattacic^ biy a pirate 
who attempts td-use the AFP feature in order to obtain a 
program'orsertricewitiioutprot)iir payment. Inpartioilar,- 
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a pirate may attempt to change the time at which a pro- 
gram epoch ends in order to obtain free services. How- 
ever, this will not help him steal successive anytime free 
previews, because the AFP boundary is an authenti- 
cated value beyond which free previews will not be avail- 5 
.able. Further, as explained in greater detail below, the 
present invention establishes "records" of previews and 
purchased programs, which are not allowed to expire 
prematurely in a way that would be helpful to a pirate. 

In order to prevent the theft of services by taking 10 
advantage of the anytime free preview feature, the 
secure processor 20 (Figure 1) of the present invention 
securely regulates the duration of a program segment 
that may be viewed without purchase. In order to accom- 
plish this, the anytime free preview duration is main- is 
tained in units of working key epochs. The secure 
processor 20 counts the number of free working keys . . 
generated. When the count reaches a limit established 
by the maximum AFP duration 82 (Figure 4) , the author- 
ization state is changed from "can buy or obtain a free 20. 
preview" to "can buy only" The AFP duration is one of 
the program attributes that is included in the generation 
of the program key. Thus, it can not be altered without 
altering the program key itself, which would prevent the . 
correct decryption of the program. 25; 

As mentioned above, the system of the . present 
invention estat>lishes a record for each program pre- 
viewed or purchased. Once the user chooses to view an , 
AFP. a "preview record" is created in the secure proces- , 
sor 20 to define the number of free worWng keys allowed. . 30 
and to keep a real time counter to cause the record:to .;. 
expire when the evisnt or program is over. The timer must . 
continue to run whether or not the receiver i& synchro^ . 
n\ze6 to a scrambled or encrypted waveformr so, that. ;. 
records expire at tine. proper, time; If an- AFP record :were . 35 
to expire earjy.ja secorijd freei^viewing period could be 
taken. If the record expires Jate. no harm Isdope but the 
number of new free preview offerings is reduced during • 
the existence of the record beyond the erp of the pro- . .. 
gram.. • . 

In accordance with the present invention, up to .N 
multifunction. records are maintained. Each record is 
either a "preview record" representing ani. anytime free 
preview selected by the user, a "purchase record" repre- 
seriting a program that the user has bought Of ai? inactive 45, 
(null), record. Alsa in accordance witii the present inyen- . .-.^ 
tion, it is. not possible for a^ preview record for a. given : 
event to be erased before ttie event is over, except by a - 
legitimate purchase of the event or.anqther purchasable; ^> ... 
service, in which case.the record is overwritten to provide^ ^so^ 
a purchase record. Typcally. a user will request-a free .rt 
preview, and then divide vyhetiier or opt Jo purchase the 
event bas«J on, tfie free preview. If ttie event is not pur- - 
chased, the preview cecprd is rnairrtajned untfl the end, of ' b 
the event uriless another.servicei is purchased -t^^ over- . 5^; 
write it; \i the user decides to purchase the everit. ;tiien' . r- 
the preview record i^ ponverted to a purchase record, t t. \^ 

Preventing the erasure of. a preview.recprd^befor.e 
the eve^. is o>^r is.,an^^sentis^ 3 jx; 



invention. If preview records were merely stored in a f irst- 
in first-out queue (FIFO), older records would be lost as 
new records are added. A user could then cumulatively 
watch more tiian the free preview limit by scanning 
through and watching one second of a number of pro- 
grams to flush the queue, and then return to watch 
another free preview of the desired program. This oppor- 
tunity is precluded by the maintenance of each preview 
record for the entire evern once the preview record is' 
established. 

Also in accordance witii the invention, program pur- 
chases take precedence over free preview offerings. In 
a case where all N available preview/purchase records 
are active, and at least one record holds an AFP, the 
secure processor 20 will indicate the authorization state 
as "can buy." The reason for this is that even though- all 
of the available preview/purchase records are in use, one 
of the active preview records can be replaced by a pur- 
chase record. Preferably, the preview record that is 
replaced by the purchase record will be the one that is 
closest to expiring. 

It is also inrportant to carefully control any opportu- 
nity for a user to erase a preview record, since the ability 
to erase such a record provides an opportunity for abuses 
For example, a program that is "purchased" may have»:v 
been created by a pirate in his own interest. Therefbref; ~ 
in the case where a program purchase (i.e.. a purchased 
record) overwrites a preview record, the present inven-' 
tion provides various defenses. First, a purchase which- 
overvyrites a preview record involves a secure transfer of - 
debit. ;in which the debit total of the user's decoder<'i8|;. 
increased t>y: the program cost: The- number of pun??' 
chases made is also counted in a secure manner. Sedt^* 
ond, the purchase record itself renrains in memory untitls^ 
the purchased event is over. In tiiis manner, tiie reco^ 
is not-available for anotiier anytime free preview until the 
termination of the purchased event. ^ 

If^a-program selected for purchase is the program 
definedby a preview record, then tiiat record is simply 
converted to a purchase record and the record remains 
open. After a preview record has been activated, a sub- 
sequerrt purchase of that program .will be irrevocable. In 
this manner, the record for the program can not be 
erased. As a further precaution, the secure processor 20 
establishes a minimum expiration time for a- purchase 
record. This minimum time can be..for'exarrple^ on the ' 
order of one hour., and wiH frustrate FKrtentral attacks by 
a pirate that attempts to oause an early, es^ration of a 
purchase record^: : 7 - ' V - * . 

: > Tiniing of program durations and^anytime free pre- 
view p.eriods .is Maintained .by. secure proc^sor '20. A - 
real time program expiration counter is maintained in the 
secure processor for.this purpose. Program durations 
euxJ AFiP periods can be^iven in.unitS/Of working key . 

epochs.":^.*. . I,;-: * "i^ i ;'.*,*.* ^ . 

As indicatedabove. a. set of muttifunction records'is 
mainteuned inthe secure processor2D;tohaindle anytime-, 
free previ^m^^nd^purchased-programs; iA set of N such 
preview4prP9tarn reconte.is/illgstated diagraramatically ;< 
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in Figure 5. The records 90, 92. 94. 96 and 98 each 
include program attributes (including access require- 
ments) for the particular program or event that the record 
pertains to. A preview record will also maintain a count 
of the time remaining (e.g. . number of free working keys 5 
remaining) within the maximum AFP duration tor watch- 
ing a free preview. A purchase record is rendered irrev- : 
ocable when estat>lished after a free preview. 

The program attributes will comprise information 
such as the cost of the program, which access require- 10 
merits (e.g., "tiers") a user must subscribe to in order to 
receive the program, whether an AFP is available for the . 
program and if so how many free working keys are pro- 
vided for the AFP, an initial free preview boundary if an 
initial free preview is available instead of or in addition to is 
an anytime free preview, and various regional access 
information. Since the access requirements are authen- 
ticated by one way function 48, as shown in Figure 2, 
none of these requirements can be altered without alter- 
ing the program key that is used to generate the working 20 
keys for decrypting the program. H the program key used . 
to decrypt differs from the one used to encrypt, decryp- 
tion will fail. The inclusion of the maximum AFP duration - 
(i.e.. number of free WKs permitted) as an access 
requirement authenticates this parameter and prevents 25 
its alteration without invalidating the working keys. 

Each preview/purchase record also includes a 
record valid flag, a purchase flag, an expiration timer 
count and a portion of the program key used as a pro- 
gram identifier. The record valid flag can be. for example, 30 
a one bit flag ihat indicates whether the record is valid or . 
not. This flag, when set indicates that the record con- : 
tents are valid. When the flag is dear, the record is cur- 
rently undefined. 

The purchase flag indicates that the record 3S 
describes a purchase record instead of a preview record. 
The working key epoch count is disregarded if the pur- ' 
chase flag is. set. The expiration timer counts in prede- " 
fined units (e.g., 2.56 seconds) the time left in the ^ 
program. Once the record is expired, the record valid flag 40 
is cleared. . , - . \ . r : 

The portion of the program key provided in the pre- • 
view/purchase record comprises, e.g., five bytes of the 
clear program key and Is used as a program identifier. 
The working key epoch count counts the number of work- - 4s 
ing keys provided during the anytime free preview. 

As part of :the derivation of ah authorization state, 
which is required to enable a user to view a program, the ^ 
secure processor determines if a given program.is vi^- 
able via an anytime free preview;'lf an AFP is offered for so 
a particular program. but>'all 'of the' N> availal^le pre- ^ 
view/purchase records are in use- (as indicated by their- 
record valid flags), a free preview cannot be granted. 

Although a preview record could be established - 
each time a user tunes to a channel offering an AFR such ss 
action Is not preferred. The reason Is that as a user ^c- 
cessively tunes to different channels (an activity knovm 
as "channel-surfing?);: programs ^offering . AFPs* ^11 be 
successivBly :encounte^ and" the <N ^EE^IIable' retbrds 



will be quickly used up. Thus, the user interface 26 (Fig- 
ure 1) will offer the user the option to view an AFP if avail- 
able, will offer the user the option to buy a program being 
previewed, will provide the user with an indication of how 
much free preview time Is left for the program, and will 
handle cases where initial free preview (an offering of a 
preview for a limited duration at the very beginning of a 
program) and anytime free preview offerings interact In 
a preferred emtx)diment, the user interface is provkled 
via on screen displays on the user's television 28. The 
generation of such on screen displays Is well known in 
the art. 

In general, an on screen display will be available 
when the secure processor determines tfiat an AFP is 
available for an acquired program. The user interface will 
collect text messages defining the AFP option screen. If 
the user selects an AFP, the user interface reports this 
fact to the secure processor 20 and free access Is 
granted for up to the maximum AFP duration. In an alter- 
nate embodiment, an AFP can be automatically granted 
when a sufficient time has elapsed after the user tunes 
to a particular service. 

In order to handle possible conflicts between an ini- 
tial free preview and an anytime ^ree preview, it is pref- 
erat>le that several rules be enforced. First, if a program 
has been acquired during an initial free preview period 
(or during a preceding epoch), the fact that an AFP is 
offered shall be disregarded. If the user chooses not to 
purchase the program and the user encounters the same 
program at a later time after the initial free period is over 
(i.e.. after tuning away from the program and then back 
to the program); then an AFP rnay be offered. Second, 
a program purchased during the AFP period may never 
be cancelled^ Orx;e a'piirchase is made during an AFP 
period^ the purchase' is iriihiediate and in-evocable: 

RgUr^ 6ahd 7 lll^strBte. in flawchart^rm. the proc- 
ess by which 'anytirne free previews are- provided in 
accordance with the present invention. The routine conri- 
mences at box 1 GO. and at b>ox 1 02 a virbrking key epoch 
message is acquired. The WKE message identifies the 
WKE count within the current program epbch. At box 
1 04, a prograim rekey message is acquired. As indicated 
in connection with the description of Figure 2, the pro- 
gram pre-tey is required in order to generate the pro- 
-gram key arxi ultimately the working keys for authorized 
users. At box'106. the authorization state for the user is 
computed. In order to determine if the user is authorized 
to receive the program and any AFP provided foi- the pro- ' 
gram. If the User iiB authorized to receive the program, a 
''deterrriinatibn is rriade at tx>x 108 as to whrther or not 
the use^r h^ Indicated a de^re to purchase'the program. 
If so, a purchase record Is created at txjx 110. Upori cre- 
ation of the purchase record; a tKuruiated portion df the 
dear' program k^ (output'from-ohe way f unction 48' of 
"Figure 2) is stoi'ed at box '1 12. The clear program key is 
used by one way function 52 (Figure! 2) to derive the nec- 
essary working keys as indicated at kxK f 14^^ 

White the working keys are generated, a determina- 
tion Is made at box^tl 6 aos to whether the jSrbgnarin e^ioch 
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has ended. If not; the derivation of working keys contin- 
ues and the process loops between boxes 114 and 116 
until the program epoch ends. Upon ternrnnation of the 
program epoch, the purchase record is deleted as indi- 
cated at box 118. The routine then ends at box 120. 5 

If a program has not yet been purchased by an 
authorized user, the routine wilt proceed from box 108 to 
box 122 where a determination Is made as to whether 
the program epoch has ended. If so. the routine ends at 
box 120. If the program epoch has not ended, a deter- 10 
mination is made at box 124 as to whether an anytime 
tree preview is available. It not, the routine loops back to 
box 108. 

If an AFP is available for the program (as Indicated, 
^ for example, by a non-zero AFP count or by a separate is 
"AFP available" bit) a determination is made at fcx>x 126 . 
as to whether the user has requested to watch a free 
preview. K not, the routine loops back to box. 106. If an 
AFP is requested, the routine p>asses to box 128 of Fig- 
ure 7> At box 128, a preview record ts created. Then, at 20 
box 130 an AFP. expiration counter (AEC) is initialized. 
At box 132, the clear program key is stored together with 
the AFP count. The AFP count is deaemented with each 
working key. and provides a record of the remaining time 
in the maximum AFP duration (1 e . ttie amount of time 25 
that the viewer has left to preview the program for free). 

At box 134, a working key is created and the AFP„ 
count Is decremented. The program expiration time Is ; 
then computed directly from the cunem working Key 
epoch as indicated at box 136. In this manner, the APR 30 
record expiration Is dynamically recalculated every vyork- ^ 
Ing key. In particular, a variable M is conputed where 
lA = (AFP boundary- current WKH count) . M . is then 
converted to real time using simple -scaJling, and if the 
result is bigger thari, the .A£C;.as determi :. 35 

the AEC is overwritten ^e computed expiration time 
at box 1 40. This will lengthen the AEG to prevent a pirate 
from attempting to shorten the AEC in order to extinguish 
a preview, record and obtain an additional AFP for 
program. . / ^ • . ; 40 

After the AEC is tested and if necessary, oyenvrltten, 
a determination is made, at box -144. as to whether the ; 
AFP maximum duration has expired (i.e.. if .the number - 
of free working keys for the preview has been decre- 
mented to zero). If so. any furthea' AFP :fpr:the program - 4S 
is deauthorized at bc»c. 152. Otherwise, a determination ; , 
is made at box 1 46 as to whether the AFP bpundaryjhas - : 
been passed.^ The AFP- boundary iS ithe working key ot 
epoch count represeriting the boundary beyond v^^ich 
an anytime free, preview is not allowed. As indicated, 0^ 
above, this parameter is authenticated by including it in . >.'M 
the program, key generators. - ... - - ^ : \ 

If the AFP boundary has been.passed, any.furttier 
AFP for the programvis deauthprized at box 1.52. Qther-.a.c. 
wise, a determination is made,at t>ox .148 as tOj whether t:.s5 
the AFP has been terminated by theijser. H not. the rou- ; 
tine waits for the n^,working key epoch :(b<jx- 149) and 
then a n w.yvqrkirig key is created at bw 1 34..The routine 
then continu^s untii either^the AFP rnaxiniunr) duration -^c;? 
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has expired, the AFP boundary has been passed or the 
AFP is terminated by the user. Upon termination of the 
AFP by the user, tiie current AFP duration count is held 
as indicated at box 150 and nothing is done until the pro- 
gram is purchased, tfie program epoch ends, or an AFP 
is again requested. The AFP duration count will enakDie 
the user, to reinitiate an anytime free preview during the 
program, and before the AFP boundary, until the maxi- 
mum AFP duration has expired. 

Upon holding the AFP duration count after an AFP 
is terminated by the user, or deauthorizing the AFP after 
the maximum AFP duration has expired or the AFP . 
tx>undary has been passed, the routine of Figures 6 and 
7 returns to box 1 08. A user can then purchase the pro- 
gram or service unless the program epoch has ended. 

in an alternate emt>odiment, the maintenance of the 
AFP expiration counter and computation of the expiration 
time from the WKE (tx>xes 1 30 and 1 36 to 1 40 of Figure 
7) can be eliminated by simply setting a minimum pre- 
view record expiration time. For example, a preview 
record once established can be maintained for a mini- 
mum of two hours. This will secure the anytime free pre- 
view feature such that a pirate can not steal more than ' 
one AFP every two hours. If the minimum preview record 
expiration time is longer than the longest typical program' 
epoch, then eitiier this metiiod or the method lllustratecR 
in Figure 7 can be used to prevent the expiration of an^ 
active previewable. service record until the prograrf^^ 
epoch for the service represented by that record is over.^ 

It should now be appreciated that the present inven^ ' ~ 
tion provides a free preview feature for services available^, 
for a fee over a communication network. A potential pr^^^ 
gram purchaser is provided with the ability to view a lirn?^ 
ited number of minutes of a movie or other program fo|^^ 
free.. as an enticement to purchase the service. Thet^ 
present Invention Improves upon^ prior art Implementa-"'^ 
tions, where only the beginning portiori of a movie could 
t>e viewed without charge. With the anytime free preview 
feature of the present invention, previewing is not limited 
to the beginning of a service. The duration of the free 
preview is variable and nnay be defined on a program by 
program t^sis by specifying, as a program attribute, a 
maxirnum AFP duration. The invention also enal>les a 
user tp view a portion otan available free preview at one ' 
time, tune away^. and then return to watch ari additional 
portion of the.free preview. The user can iDreak the free 
preview into as many portions as desired, as long as the 
maximum AFP duration is not exceeded. n : ♦ 

Although the invention has been described in con- ; 
.nection.with specif Ic/embodiments thereof, those skilled 
in the art vvill:appreciateihat numerous adaptations.and' 
modifications may be rtiade thereto without departing 
from the spirit, and scope of the invention as set forth in . 
the claims.- - ' . ""*; -"^ jv " ' 

Claims . ^ .;n: x.f,-^:,;,^ t.-r^ z-^'.-r 3* r 

1 . Ajmethodfbr provid'rng .yideqseryices to consumers 
yl.a'aninfoFmatiQn'i;ietvi(orXi of: 
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providing a video service on a payrper-view 
basis during a program epoch; 

defining a fixed period during said program 
~ epoch when portions of said video service are avail- 
able for viewing on a preview basis; 

allowing a consumer to preview, without pur- 
chase, portions of said video service at any time dur- 
ing said fixed period for up to a maximum preview 
duration that is shorter than said fixed period; and 

enforcing said maximum preview duration in 
a cryptographically secure manner. 

2. A method in accordance with daim 1 comprising the 
further step of: 

enabling a consumer to purchase said video 
service for viewing during said program epoch after 
previewing portions thereof. 

. 3. A method in accordance with claim 1 or 2 wherein 
said program epoch is divided into a plurality of 
working epochs (WKE*s), comprising the further 
steps of: 

cryptographically authenticating a count of 
said WKE's; and 

using the authenticated count to inrplement 
said maximum preview duration. 

4. A method in accordance with one of the preceding 
claims comprising the further step of: 

maintaining a record to indicate the amount 
of unused preview time remaining for said consumer 
to view said video service during said fixed period; 

wherein said record is maintained in a cryp- 
tographically secure nnanner. 

5. A method in accordance with one of the preceding 
claims comprising the further steps of: 

maintaining a record of services which said 
consumer has previewed during prior program 
epochs; and 

prohibiting said consumer from previewing a 
service during a current program epoch if the con- 
sumer has previewed any part of that service during 
a prior program epoch. 

6. A method in accordance with claim 5 wherein said 
record of services is nrtaintained in a cryptographi- 
cally secure manner. 

7. A method in accordance with one of the preceding 
claims comprising the further st^s of: 

maintaining up to N active records of preview- 
able services at a time, each record comprising 
either a purchase record representing a previewable 
service that has been purchased by said consumer 
or a preview record representing a service that said 
consumer has selected for preview; and 

preventing the expiration of an active pre- 



viewable service record until the program epoch for 
the service represented by that record is over. 

8. A method in accordance with claim 7 comprising the 
5 further step of : 

preventing the erasure of any preview record 
until the program epoch for the service represented 
thereby is over. 

10 9. A method in accordance with claim 7 conprising the 
further steps of: 

converting a preview record to a purchase 
record upon purchase by the consumer of the serv- 
ice represented by the preview record; and 

15 rendering the purchase record resulting from 

said converting step in^evocaksle. 

10. A method in accordance with claim 9 comprising the 
further step of: 

20 > preventing the erasure of any preview record 

until the program epoch for the service represented 
thereby is over, except by conversion to an irrevoca- 
ble purchase record. 

25 11. A method in accordance with one of claims 7 to 10 
comprising the further step of: 

denying any additional previews to said con- 
sumer whenever all N previewable service records 
are active. 

30 

. 12. A method in accordance with one of the preceding 
claims comprising the further step of : 

informing said consumer of how much 
uhused preview time remains for said video service. 

13. A method in accordance with- 6ne of thepreceding 
daims wherein said fixed period is enforced in a 
cryptographically secure manner, = 

40 14. ApparatLJS for providing previews of services availa- 
ble for purchase via a communication network, com- 
prising: 

first rheans for processing data received from 
said communication network said data (i) identifying 

45 a service available for purchase, (ii) identifying an 
epoch over which said iservice is provided, (m) \nd\- 
cating whether a preview is available for said serv- 
ice; iahd <iv)' providingHnforrfiation necessary to 
gerierate kisys for ehal^ling an authorized consumer 

so to receive said service or a preview tfiereof ; 

second means responsive to said first means 
when a preview is available for said service for keep- 
ing track of a fixed period duririg said epoch When 
previewing is perrnitted; , ; • . r 

55 - ' " • V a user interface "cobperatirig wiWsaid first 
and^ecorid means for ehabling a corisiJmer to pre- 
view portions of said service! at any timia during said 
fixed period for up to a maximum preview duration 
that is shorter than said fixed period, said user inter- 
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face also enabling a consumer to purchase said 
service; and 

means responsive to said first means for 
decrypting said service during a preview and after a 
purchase thereof. 5 

1 5. Apparatus in accordance with claim 1 4 further com- 
prising means for enforcing said maximum preview 
duration in a cryptographically secure manner. 
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16. Apparatus in accordance with one of claims 14 or 
15 further comprising: 

means for maintaining a record in a crypto- 
graphically secure manner to indicate the amount of 
unused preview time remaining for said consumer 
to view said service during said fixed period. 
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1 7. Apparatus in accordance^ with one of claims 1 4 to 1 6 
further comprising: 

. means for maintaining up to N records of 20 
active previewable services at a time, each record 
' comprising either a purchase record representing a 
previewable service that has been purchased by 
said consumer or a preview record representing a 
service that said consumer has sel ected for preview; 25 
and 

means for preventing the expiration of an 
active previewable service record until the program 
epoch for the service represented by that record is 

over. 30 

18. Apparatus in accqrClance with.claim 17 further com: 
prising: , ' . ' . 

means for preventing the erasMre of ariy pre: 
view record until the program epoch for tfie service 3S 
represented ti^reb)fjs over.;, 7.::..^ 

1 9. Apparatus in accordance with plaim 1 7 further com- 
prising: 

. means for converting a preview record to a 40 
purchase record upon purchase biy the consumer of 
the service represented by the preview record; and 
mearrs for rendering the purchase record pro- 
vided by said converting means irreyocatile.-. . 

20. Apparatus in accordance with claim 1 9 further com- 
prising: . ^ , ' .. . .. ,, , 

means for preventing the erasure of arjy pre- 
view record untij the. progrjam epoch for tiie service 
represented thereby is over, e^Kcept by conversion to so 
an irrevocafc)ie purcljase reco^^^ . 0.^.* 

21 . Apparatus in apqondance with one ofidaims .1 7 to 20 
further corrprising: . .^s . -. 

mearis for d^nyirig any aciditional previews or s$ 
previewable services to said consumer whenever aU 
N previewable service records are active. ... , . 



22. Apparatus in accordance with one of claims 1 4 to 21 
wherein said user interface corrprises: 

means for informing said consumer of how 
much unused preview time renrains for said service. 

23. Apparatus in accordance with one of claims 1 4 to 22 
wherein said epoch is divided into a plurality of work- 
ing key epochs, a cryptographically authenticated 
count of which is used to implement said maximum 
preview duration. 

24. Apparatus in accordance with one of claims 1 4 to 23 
further comprising: 

means for cryptographically authenticating at 
least the portion of said data that identifies whether 
a preview is available for said service. 

25. Apparatus in accordance with one of claims 1 4 to 24 
wherein said fixed period is enforced in a crypto- 
graphically secure manner. 
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